on the basis of Articles 31bis paragraphs 64, 64bis and 85, Article 1 of the Federal Constitution, and having considered the Report of the Federal Council dated 23rd March 1988,

decrees

Section 1: Objective, Scope and Definitions

Article 1 Objective

This Act shall seek to protect the personality and the fundamental rights of those individuals about whom data is processed.

Article 2 Scope

1 This Act shall regulate the processing of data about physical and legal persons undertaken by:

a) private individuals

b) Federal authorities

2 It shall not apply to:

a) personal data that is processed by a natural person exclusively for personal use and that is not disclosed to a third party;

b) deliberations of the Federal Parliament and Parliamentary Committees;

c) pending civil, penal, or international legal assistance proceedings, or public or administrative law proceedings, with the exception of administrative proceedings of the first instance;

d) public registers relating to private law matters;

e) personal data processed by the International Committee of the Red Cross.

Article 3 Definitions

The expressions below shall be defined as follows:

a) personal data: all information relating to an identified or identifiable person,

b) persons affected: the physical or legal persons about whom data is processed,

c) sensitive personal data: data relating to:

1. religious, philosophical, political or trade union-related opinions or activities,

2. health, sexuality or racial origin,

3. social security files,

4. criminal or administrative proceedings and penalties;

d) personal profile: a collection of data that allows the appraisal of fundamental characteristics of the personality of a natural person;

e) processing: any operations relating to personal data, irrespective of the equipment and procedures used, and in particular the collection, storage, use, modification, communication, archiving or the destruction of data;

f) disclosure: rendering data accessible, for example by allowing access to data by either transferring, distributing, or publishing the data;

g) file: a collection of personal data whose structure facilitates a search for data on a particular individual;

h) Federal authority: the authorities or departments of the Swiss Confederation as well as any persons working for the Swiss Confederation;

j) file controller: the private persons or Federal authorities who decide on the purpose and the content of the file;

2. resolutions of international organisations that are binding on Switzerland and international law treaties that have been ratified by the Federal Assembly and that have legislative content.

Article 4 Principles

1 All processing of personal data must be undertaken in a lawful manner.

2 Processing must be conducted in good faith and must not be excessive.

3 Personal data may only be processed for the purpose either for which it was collected, or which is evident from the circumstances, or which is provided for by the law.

Article 5 Data accuracy

Whoever processes personal data must ensure that the information is correct. Any persons affected can request the rectification of inaccurate data.

Article 6 Transborder data flows

1 No personal data may be transferred abroad if the personal privacy of the persons affected could be seriously endangered, and in particular in cases where there is a failure to provide protection equivalent to that provided under Swiss law.

3 The Federal Council shall regulate the notification procedure in detail. It may provide for a simplified notification procedure or exemptions from the duty to notify in the event that the processing does not endanger the privacy of the persons affected.

Article 7 Data security

1 Personal data must be protected against unauthorised processing by appropriate organisational and technical means.

2 The Federal Council shall enact more detailed provisions on the minimum data security measures.

Article 8 Right of information

1 Anyone may ask a file controller if data stored relating to him is being processed.

2 The file controller must provide information on:

a) all data relating to the individual that is contained in the file;

b) the purpose and if necessary the legal basis for the processing, the categories of processed data, the individuals involved in processing the file, and the individuals designated to receive the file.

3 The file controller may disclose data relating to the health of an affected person to that person via a doctor designated by the person.

4 In the event that the file controller has the personal data processed by a third party, the file controller shall remain responsible for providing any information that is requested. The third party shall be obliged to provide information in the event that it does not disclose the name of the file controller or in the event that the file controller is not resident in Switzerland.

5 The information should, as a general rule, be provided free of charge and submitted in writing in printed form or as a photocopy. The Federal Council shall regulate exemptions from the foregoing.

6 No authority shall have the right to waive their right to information in advance.

Article 9 Restriction of the Right to Information: General

1 A file controller may refuse to provide, or restrict or defer the provision of the requested information in cases where:

a) a formal provision of the law so provides;

b) he is required to do so due to the overriding interests of a third party.

2 A Federal authority may refuse to provide, or restrict or defer the provision of the requested information in cases where:

a) it is required due to overriding public interests, and in particular in the interests of the internal or external security of the Confederation;

b) the communication of the information may compromise criminal proceedings or other investigative processes.

3 A private file controller may additionally refuse to provide, or restrict or defer the provision of requested information when it is in his own overriding interest and on the condition that the data is not passed on to a third party.

4 The file controller must indicate the reason why he is refusing, restricting or deferring access to the information.

Article 10 Restriction of the Right to Information for Media Employees

1 The file controller who uses a file for the sole purpose of publication in the editorially-controlled section of a periodically published media organ may refuse to provide, or restrict or defer the provision of the requested information if:

a) the personal data provides information as to its source;

b) a right to examine drafts for publication must result;

c) the freedom to shape public opinion will be compromised.

2 Journalists may additionally refuse, restrict or prevent the communication of information requested if a file is being used exclusively as personal work aid.

2 Federal government authorities must declare all files to the Federal Data Protection Commissioner for registration.

3 Private individuals who regularly process sensitive data, data profiles or communicate personal data to a third party must register their files if:

a) the processing of such data is not subject to a legal requirement and

b) the persons affected are unaware that such data is being processed.

4 The files must be registered prior to processing.

5 The Federal Council shall issue regulations on the registration of files and on the maintenance and publication of the register. It may also provide for exemptions from the duty to declare or register for certain types of files, provided the processing does not endanger the privacy of the persons affected.

Section 3: Processing of personal data by private persons

Article 12 Infringement of privacy

1 Whoever processes personal data must not unlawfully infringe the privacy of the persons affected.

b) process personal data against the express wishes of the data subject;

c) disclose to a third party any sensitive data or personal profiles.

3 As a general rule, a person’s rights cannot be infringed if the person affected has made the data generally available to the public and has not expressly prohibited processing.

Article 13 Lawful justification

1 An infringement of privacy shall be unlawful unless it is justified by the consent of the person affected, by an overriding public or private interest or by the law.

2 The overriding interests of the processing person shall in particular be taken into account where the processing person:

a) in direct connection with the conclusion or performance of a contract, processes personal data about his contractual partner;

b) is in or wishes to enter into commercial competition with another person and processes personal data for this purpose, without disclosing this personal data to a third party;

c) processes personal data for the purpose of evaluating the creditworthiness of another person, provided the data is neither sensitive nor constitutes a personality profile, and only discloses such data to a third party in the event that it is required for the conclusion or performance of a contract with the person affected;

d) processes data on a professional basis for the sole purpose of publication in the editorially controlled section of a periodically published media organ;

e) processes data for non-personal purposes, and in particular in the context of research, planning or statistics, and publishes the results in such a manner that the identity of the persons affected cannot be established;

f) gathers data relating to a public person, provided the data concerns his public life.

Article 14 Data processing by a third party

1 The processing of data may be entrusted to a third party provided:

a) the mandating party ensures that no processing occurs that he would not be permitted to carry out himself;

b) the processing is not prohibited by a legal or contractual duty of confidentiality.

2 The third party may assert the same grounds of lawful justification as the mandating party.

Article 15 Claims and legal procedures

1 Legal proceedings or interim measures relating to the protection of the personality are governed by Articles 28 to 28l of the Swiss Civil Code. The plaintiff in any legal proceedings may specifically request that the personal data be corrected or destroyed, or that its disclosure to third parties be prohibited.

2 In the event that the accuracy or inaccuracy of personal data cannot be established, the plaintiff may request that the particular data be marked accordingly.

3 The plaintiff may request the notification of third parties or publication of the judgement relating to the data or of the correction, destruction, prohibition of communication, or the marking of the data as to its litigious character.

4 The court shall rule on matters relating to the assertion of the right to information in a simple and rapid procedure.

Section 4 Processing of personal data by federal authorities

Article 16 Responsible authority

1 Any Federal authority that processes personal data or has such data processed in the execution of its duties shall be responsible for ensuring the protection of such data.

2 In the event that a Federal authority processes personal data jointly with other Federal authorities, with cantonal authorities or with private persons, the Federal council may regulate the specific responsibilities with regard to data protection.

Article 17 Legal principles

1 Federal authorities may process data only if there is a legal basis for doing so.

2 Sensitive data or personal profiles may be processed only if a formal law expressly provides therefor or if, exceptionally:

a) such processing is indispensable for the fulfilment of a task clearly defined in a formal law;

b) the Federal council has authorised such processing, because rights of the persons affected are not jeopardised or

c) the person affected in the specific case has granted express consent or has personally made the data accessible to the public.

Article 18 Collection of personal data

1 Any Federal authority that systematically collects data, in particular through the use of questionnaires, must specify the objective of and the legal basis for the processing, the categories of persons dealing with the file, and the recipients of the data.

2 The collection of sensitive data or of personal profiles relating to the characteristics of a person must be carried out in a manner that is visible to the persons affected.

Article 19 Disclosure of personal data

1 Federal authorities may disclose personal data provided they have legal grounds for doing so in terms of Article 17 or if:

a. the data is indispensable to the recipient in the specific case in order to fulfil its legal duties;

b. the person affected has given his express consent in the specific case or the circumstances imply such consent;

c. the person affected has made the data accessible to the public or

d. the recipient credibly asserts that the person affected is refusing to give consent or prohibiting disclosure in order to prevent the recipient from asserting legal rights or from safeguarding other interests that are worthy of protection; whenever possible the person affected must be allowed the opportunity to state his case.

2 Federal authorities may, on request, disclose the name, first name, the address and the date of birth of a person even if the conditions set forth in paragraph 1 are not fulfilled.

3 Federal authorities may make personal data available via remote access, provided express provision is made therefor. Sensitive data or personal profiles may only be made available via remote access provided a formal law provides therefor.

4 The Federal authority shall refuse to disclose data, or restrict such disclosure or make it subject to conditions if:

a. essential public interests or if the clear interests of the person affected so require or if

b. a statutory duty of confidentiality or a specific data protection regulation so requires.

Article 20 Prohibition of disclosure

1 A person affected who credibly asserts a legitimate interest may request the competent Federal authority to prohibit the disclosure of certain data.

2 The Federal authority may refuse to prohibit disclosure or revoke any such prohibition if:

a. there is a legal duty of disclosure;

b. the performance of its duties would be compromised.

Article 21 Making data anonymous, destroying data

1 Federal authorities must make personal data that they no longer require anonymous or destroy such personal data unless the data;

a. is to be retained as evidence or for security purposes or

b. is to be stored in the Federal Archives.

Article 22 Processing for the purposes of research, planning, and statistics

1 Federal authorities may process personal data for reasons not related to the persons affected, and in particular for the purposes of research, planning or statistics provided:

a. the data is made anonymous as soon as the objective of the data processing allows;

b. the recipient shall only pass on the data to a third party with the consent of the Federal authority;

c. the results of data processing are published in a form that does not allow identification of the persons affected.

2 The requirements of the following provisions need not be met:

a. Article 4 paragraph 3, on the purpose of the data processing;

b. Article 17 paragraph 2, on the legal basis for the processing of sensitive data and personal profiles.

c. Article 19 paragraph 1, on the disclosure of personal data.

Article 23 Private law activities of Federal authorities

1 In the event that a Federal authority acts on the basis of private law, the provisions on the processing of personal data by private persons shall apply.

2 Supervision of such private law activities shall be conducted in accordance with the provisions applicable to Federal authorities.

Article 24

Article 25 Rights and procedures

1 Anyone with a legitimate interest may request that the responsible Federal authority;

a. refrain from proceeding with unlawful data processing;

b. nullify the effects of unlawful data processing;

c. declare the unlawful nature of the data processing.

2 If the accuracy or inaccuracy of personal data cannot be established, the Federal authority shall be required to mark the data with a note to this effect.

3 The person making the request may in particular request that the Federal authority

a. correct or destroy the data or ensure that it is not disclosed to a third party;

b. publish or communicate to third parties its decision, namely to correct or destroy the personal data, or prohibit its disclosure or to mark it as being of a contentious nature.

4 The procedure shall be governed by the Federal Act on Administrative Procedure. The exceptions set out in Articles 7 and 3 of the Federal Act on Administrative Procedure shall not apply.

5 The decisions made by a Federal authority shall be subject to a right of appeal to the Federal Data Protection Commission. The decisions made by the Commission shall be subject to a right of appeal under administrative law to the Swiss Federal Supreme Court.

Section 5: The Swiss Federal Data Protection Commissioner

Article 26 Appointment and Status

1 The Swiss Federal Data Protection Commissioner shall be appointed by the Federal Council.

2 He shall perform his duties autonomously and shall be affiliated for administrative purposes to the Federal Department of Justice and Police.

3 He shall have a permanent staff.

Article 27 Supervision of Federal Authorities

1 The Commissioner shall supervise compliance by Federal authorities with this Act and other Federal regulations relating to data protection. The Federal Council shall be exempted from such supervision.

2 The Commissioner shall investigate cases on his own initiative or at the request of third parties.

3 In order to investigate cases, he may request the production of documents, obtain information and have the data processing activities explained to him. The Federal authorities shall be obliged to cooperate in the investigation of any case. The right to refuse to give evidence in terms of Article 16 of the Federal Act on Administrative Procedure shall apply by analogy.

4 In the event that an investigation reveals that data protection provisions have been infringed, the Commissioner may recommend that the responsible Federal authority modify or cease data processing activities. He shall inform the relevant department or the Federal Chancellery of his recommendation.

5 In the event that a recommendation is not complied with or is rejected, the Commissioner may refer the matter to the department or the Federal Chancellery for decision. Notice of the decision shall be given to the persons affected.

Article 28 Advisory services for private individuals

The Commissioner may advise private individuals on the issue of data protection.

Article 29 Investigations and recommendations in the private sector

1 The Commissioner shall conduct investigations on his own initiative or at the request of a third party when

a. the methods of processing are capable of infringing the privacy of a larger number of persons (system error);

b. files must be registered (Art. 11);

c. disclosure of data outside Switzerland must be declared (Art. 6).

2 He may request the production of documents, obtain information and have the data processing activities explained to him. The right to refuse to give evidence in terms of Article 16 of the Federal Act on Administrative Procedure shall apply by analogy.

3 On the basis of his investigation, the Data Protection Commissioner may recommend the modification or cessation of the data processing activities.

4 In the event that such a recommendation by the Commissioner is not complied with or rejected, he may refer the matter to the Federal Data Protection Commission for decision.

Article 30 Information

1 The Commissioner shall submit a report at regular intervals and as required to the Federal Council. These periodical reports shall be published.

2 In cases of public interest, he may inform the public of his findings and recommendations. He may only disclose data that has been given to him subject to official secrecy if he has the consent of the competent authority. In the event that such consent is withheld by the authority, the President of the Federal Data Protection Commission shall make a decision, which shall be final.

b. he shall give his opinion on draft Federal legislation and on Federal measures that have a bearing on data protection;

c. he shall co-operate with data protection authorities both within and outside Switzerland;

d. he shall examine the extent to which foreign data protection measures are equivalent to those in Switzerland.

2 The Commissioner may also advise departments of the Federal Administration in cases where this Act is inapplicable in terms of Art. 2 paragraph 2 c and d. The departments of the Federal Administration may allow the Commissioner to inspect their activities.

Article 32 Duties relating to medical research

1 The Commissioner shall advise the Commission of Experts on Professional Confidentiality in bis Medical Research (art. 321 Swiss Penal Code (PC));

2 In the event that this Commission authorises the lifting of confidentiality, he shall monitor compliance with the related conditions therefor. In this regard, he may conduct investigations in terms of Article 27 paragraph 3.

3 The Commissioner shall have a right of appeal against decisions made by the Commission of Experts to the Federal Data Protection Commission.

4 He shall work towards ensuring that the patients are informed of their rights.

Section 6: Federal Data Protection Commission

1 The Federal Data Protection Commission is an arbitration and appeals commission in accordance with Article 71 a-c of the Federal Law on Administrative Procedure. It makes decisions on:

a. the recommendations of the Commissioner (Article 29 paragraph 4) that are laid before it;

b. appeals against decisions made by Federal authorities relating to data protection matters, with the exception of those decisions made by the Federal Council;

c. appeals against the decisions of the Commission of Experts on Professional Confidentiality in medical research (Art. 321 PC)13;

d. appeals against cantonal decisions of the final instance that are based on Federal public law provisions on data protection.

2 In the event that the Commissioner establishes, as a result of an enquiry undertaken in accordance with the provisions of Article 27 paragraph 2 or Article 29 paragraph 1, that the person affected may be prejudiced in a manner that would be difficult to rectify, he may apply to the President of the Data Protection Commission for interim measures to be ordered. Articles 79 to 84 of the Federal Law or Federal Civil Procedure shall apply by analogy to this procedure.

Section 7: Penal sanctions

Article 34 Breach of duties to provide information, to register data, and to co-operate

1 Private individuals who fail to fulfil their duties as set out in Article 8, 9 and 10 by wilfully providing inaccurate or incomplete information shall be punishable on application for prosecution by a term of detention or a fine.

2 Private individuals who wilfully:

a. fail to declare a file in terms of Article 11 or a disclosure of data abroad in terms of Article 6 or who provide false information in their declaration;

b. provide false information or refuse to co-operate in the investigation of a case (Art. 29)

shall be punishable by a term of detention or a fine.

Article 35 Breach of Professional Secrecy

1 Whoever wilfully and without authorisation discloses confidential and sensitive personal data or personal profiles that have come to his knowledge in the course of professional activities that require that he has knowledge of such data, shall be punishable on application for prosecution by a term of detention or by fine.

2 Whoever wilfully and without authorisation discloses confidential and sensitive personal data or personal profiles that have come to his knowledge in the course of his activities for persons who are subject to a duty of professional secrecy or in the course of his vocational training with such persons, shall also be punishable on application for prosecution by a term of detention or a fine.

3 The illegal communication of confidential and sensitive data or personal profiles shall also be punishable after the relevant person has ceased to practise his profession or has completed his vocational training.

Section 8: Final provisions

Article 36 Implementation

1 The Federal Council shall enact the implementation provisions.

2 ...

3 It can allow for deviations from Articles 8 and 9 relating to the disclosure of information by diplomatic and consular representatives of Switzerland abroad.

4 It may further determine

a. which files require processing regulations;

b. the conditions under which a Federal authority may have personal data processed by a third party or processed on behalf of a third party;

c. the manner in which the means of identifying individuals may be used.

5 It may enter into international data protection treaties provided these are in conformity with the basic principles of this Act.

6 It shall issue regulations as to how files must be secured that contain data that in the event of war or a crisis could lead to the life or health of the persons affected being endangered. $UWLFOH

Article 37 Implementation by the Cantons

1 Insofar as cantonal data protection provisions do not exist, the processing of personal data by cantonal organs in the execution of the Federal law shall be regulated by Articles 1 to 11, 16 to 23, and Article 25 paragraphs 1 to 3 of the present Act.

2 The Cantons must designate a supervisory authority to be responsible for monitoring compliance with data protection provisions. Articles 27, 30 and 31 shall apply by analogy.

Article 38 Transitional Provisions

1 File controllers must declare any existing files that must be registered in terms of Article 11 within one year of the date on which this Act comes into force.

2 Within one year of the date on which this Act comes into force, they must take the measures required to allow them to disclose information in terms of Article 8.

3 Federal authorities may continue to use existing files that contain sensitive personal data or personal profiles until 31 December 2000, without having to fulfil the requirements of Article 17 paragraph 2.

4 For matters relating to asylum seekers and foreign persons, the period allowed in paragraph 3 shall be extended until the totally revised Asylum Act and the amended Federal Act of 26 March 1931 on the Residence and Settlement of Foreign Persons come into force.

Article 39 Referendum and Commencement

1 This Act shall, if so required, be the subject of a referendum.

2 The Federal Council shall determine the date on which this Act shall come into force.

Commencement date: 1 July 1993

16 Version in accordance with Section I of the Federal Decree of 26 June 1998, in force until 31 December 2000 (AS ((' 1586; BBl ((' 1579 1583). 17 SR #!! 18 Inserted by Section II of the Federal Decree of 20 June 1997, in force since 1 January 1998 (AS ((& 2372; BBl ((& I 877). The legislation cited comes into force on 1 October 1999. 19 Decree of the Federal Council of 14 June 1993 (AS ((" 1958).

Amendment of federal acts

1. The Federal Act on the Administration of Justice20 shall be amended as follows

Art. 100 first sentence...

2. The Code of Obligations shall be amended as follows:

Art. 382b

...

Art. 362 paragraph 1.

3. The Federal Act of 18 December 1987 on International Private Law (IPL) shall be amended as follows: